+13
Completed
Backstage Mode Option to Turn Off the Feature
The Backstage Mode feature that allows hosts to have complete Windows Terminal and PowerShell access to a remote machine doesn't have an option to turn it off except for using the option of unchecking SwitchLogonSession in Security Roles which also affect other features that are needed.
When you have the option to require Consent where the user has to allow access, if you use the Backstage Mode is doesn't require consent even thought the option is set on.
This is a big security issue for financial institutions that have secure servers and don't want people doing anything to their servers that they are not aware of. With the Backstage Mode option it's wide open.
Duplicates
1
Commenting disabled
Customer support service by UserEcho
I have not personally tried this. I was going thru the new features and saw this option so I started chatting (Ticket 11475408). I told him that our banks have to give us consent to access their servers and did this option require consent and I was told No.
If it does require consent does it show the user the screen that is being used for the Powershell and CMD window?
As far as the other issue of not seeing the consent screen if the user used RDP to access their server the normal consent screen isn't seen. The person on our side has to select the Logon Session for RDP not Console.
But still the Backstage option should be able to be turned off because financial institutions do not like it if they can't control who has access to their server.
This should be controlled by a separate variable, preferably one that allows us to restrict backstage access by group as well as account role. For security we need all of the following, otherwise it is pretty much a security hole to even have it available at all.
1) Backstage should comply with consent
2) Techs who can switch sessions, but not have backstage access (eg: assisting end users on terminal servers)
3) Techs who can have backstage access, but only on workstations (defined by groups). No server backstage allowed.
I agree that we need a way to disable Backstage. As our clients become more security conscience and we employ new security tools, Backstage is being flagged and considered a major security hole. I am voting also for some method, PER CLIENT and/or PER user group to be created.
I am not sure if this was implemented or because the way the LabTech / ConnectWise Automate integration works but I just found out that when using Backstage on a machine which requires Consent through LabTech also requires Consent for Backstage and there doesn't appear to be a way to disable that.
Hi Shannen,
We do have an option to turn off consent to the Backstage. If you wish to, you can go to Admin > Advanced Configuration Editor > Quick Settings and turn off 'Auto Consent to Backstage'.
Thanks.
Hi Rishikesh,
Does this also function that way when launching it from LabTech / Automate because I have that enabled but LabTech still is prompting for Consent.
Hi Shannen,
For the further investigation, please reach out to our Support team.
https://www.connectwise.com/services/support
Is there any updates to this, we found that Backstage allows access to AD/GPO which is unsecure for us, we use Backstage on customer machines, so turning this off isnt possible.
Hi Leo,
Latest 21.14 release includes the newly added permission for Backstage. So that makes Switchlogonsession and Backstage two separate permissions. Please make sure you are on 21.14 to have this permission.
Hope that helps !!